IETF Logo Mail Archive

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns

Nathan Ward <v6ops@daork.net> Wed, 22 October 2008 06:05 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD3123A6886 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 21 Oct 2008 23:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.321
X-Spam-Level:
X-Spam-Status: No, score=-5.321 tagged_above=-999 required=5 tests=[AWL=-0.273, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HJz0kW3IXEd for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 21 Oct 2008 23:05:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DF9183A67DD for <v6ops-archive@lists.ietf.org>; Tue, 21 Oct 2008 23:05:39 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KsWl2-00092O-Kl for v6ops-data@psg.com; Wed, 22 Oct 2008 05:59:48 +0000
Received: from [60.234.76.2] (helo=unobtainium.braintrust.co.nz) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <v6ops@daork.net>) id 1KsWkw-00091q-Aq for v6ops@ops.ietf.org; Wed, 22 Oct 2008 05:59:45 +0000
Received: from [192.168.0.51] (ip-118-90-107-173.xdsl.xnet.co.nz [118.90.107.173]) by unobtainium.braintrust.co.nz (Postfix) with ESMTP id A3E5527940; Wed, 22 Oct 2008 18:59:37 +1300 (NZDT)
Cc: Suresh Krishnan <suresh.krishnan@ericsson.com>, Christian Huitema <huitema@windows.microsoft.com>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, "secdir@mit.edu" <secdir@mit.edu>, "Jim_Hoagland@symantec.com" <Jim_Hoagland@symantec.com>, Dave Thaler <dthaler@windows.microsoft.com>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
Message-Id: <5333EA69-337F-4373-A247-1852B61D96C0@daork.net>
From: Nathan Ward <v6ops@daork.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <48FE4681.4070006@gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Date: Wed, 22 Oct 2008 18:59:36 +1300
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net> <48F8EE0D.4060307@ericsson.com> <48FB9A79.8040407@gmail.com> <8EFB68EAE061884A8517F2A755E8B60A134A70E895@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <48FDFBCB.1090508@ericsson.com> <48FE4681.4070006@gmail.com>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 22/10/2008, at 10:15 AM, Brian E Carpenter wrote:

> Suresh,
>
> You wrote to Christian:
>
>> While I agree with you about the possibility of an "arms race" I  
>> really
>> do not see anything we can do about this. What would you recommend
>> instead? I am really open to suggestions.
>
> My feeling is that we need to tell IT managers something like
> "If your users have a need for IPv6 tunnels, here is how to
> make them as safe as possible:
>
> <description of mechanisms, e.g. for detecting DoS,...>
>
> and after that, explain the threats, and state that tunnels
> should be disabled if you are not protected against the threats.
>
> There are also other positive suggestions, like operating
> an on-site 6to4 relay and/or Teredo server, so that those
> mechanisms don't cross the border router.

Operating a Teredo server on site does not help unfortunately.

It helps an administrator filter outbound packets when sent to an IPv6  
address outside 2001::/32. It does not help an administrator filter  
inbound packets, or packets to/from other Teredo hosts.

> I agree with you that there are real threats (or will be, once
> there is enough deployment to make IPv6 tunnels an interesting
> target). It's quite appropriate to document them.


I need to preface these remarks by say that I haven't read the  
document apart from a quick skim read, so sorry if I'm saying  
something that's already in there, or is not relevant.

I think it's important to distinguish between tunnels that end users'  
systems create automatically (ala 6to4, Teredo in Vista), and tunnels  
that end users create to work around firewalls.

The former is easy to document solutions for, in fact, it seems to me  
that any tunnelling protocol RFC should include details as to how a  
network administrator can prevent these protocols passing through  
their network. For Teredo this means blocking port 3544/3545. For 6to4  
this means blocking protocol 41 (preferably returning ICMPv6 messages  
encapsulated in 6to4 so the the application is told about it..). This  
is more about blocking things that do not work or perform poorly in a  
certain environment, rather than trying to secure a network.

The latter is not so easy, and I think this document should simply  
point out that the only way to really do this is to completely control  
the end users' machines, and not allow any third party software or  
configuration changes. Anything else is instilling a false sense of  
security in the minds of network administrators who perhaps are not as  
fluent in these things as we are.

--
Nathan Ward

v2.23.0 | Report a Bug | By Email